1. Field of the Invention
The present invention is directed to a security module for monitoring security in an electronic system and to a method for monitoring the system security particularly suited for employment in a postage meter machine or mail processing machine or a computer with mail processing capability.
2. Description of the Prior Art
A large variety of protection measures are known for protecting against outages or disturbances as well as for offering 100% availability of intelligent electronic systems. For example, parallel computer systems are utilized for extremely high security demands (air traffic, etc.); stored results, for example, are more likely to be redundantly implemented for low level applications in order to create the possibility of recognizing a malfunction or an outage as well as, potentially, creating the possibility for correction. Often, the individual security measures are of very different natures (for example, combinations of hardware and software) and must be adapted to the respective security requirement (which may be needed for only a portion of a system), which leads to many dedicated, discrete solutions that cause high design costs, and under certain circumstances realization costs as well, due to their individual character.
European Application 417 447 discloses the use of special modules in electronic data processing systems which are equipped with means for protecting against an invasion into their electronics. Such modules are referred to as security modules below.
Modern postage meter machines or other devices for franking postal matter are equipped with a printer for printing the postal value stamp onto the postal matter, a controller for controlling the printing and the peripheral components of the postage meter machine, an accounting unit for debiting postage fees that are maintained in nonvolatile memories, and a unit for the cryptographic protection of the postage fee data. A security module (European Application 789 333) can include a hardware accounting unit and/or a unit for securing the printing of the postage fee data. For example, the former can be realized as application specific integrated circuit (ASIC) and the latter can be realized as an OTP (one-time programmable) processor. The internal OTP-ROM stores sensitive data (cryptographic keys) secured against read out that are required, for example, for reloading a credit. An encapsulation with a security housing offers further protection.
Further measures for protecting a security module against an attack on the data stored therein are described in German Applications 198 16 572.2, and 198 16 571.4, as well as co-pending U.S. application Ser. No. 09/522,619 (filed Mar. 10, 2000) and Ser. No. 09/522,620 (filed Mar. 10, 2000) and Ser. No. 09/522,621 (filed Mar. 9, 2000), and German Utility Model application 299 05 219.2. A luggable security module can assume various states in its life cycle. A distinction can be made as to whether the security module is functioning or malfunctioning. It is assumed that the hardware circuitry of this module is adequately protected against tampering, so this is not separate monitored. Any software-controlled operation is only considered error-free only as long as the original programs, remain intact which must therefore be protected against manipulation.
An object of the present invention is to provide a high level of security for an electronic system by means of a security module and method. The method and security module should, with minimal outlay, enable a high level of security for definable areas and functions of a system and should be universally applicable, i.e. with only minimum adaptation outlay, to a large variety of different electronic systems. The method and security module should, for example, be employable in postage meter machines, for which there are special security demands with respect to the postal register data since, in particular, the monetary accounting data must be incapable of being manipulated.
This object is achieved in a method and module for ensuring security of an electronic system is assured wherein the integrity of the system is repeatedly checked over time. A modular structure of the security method provides a two-stage, overlapping testing that fundamentally distinguishes between static and dynamic conditions of the system. The data, functions and patterns that are non-volatilely stored in memory areas are suitable for representing a system status. Pre-determined sub-areas of the memory can be allocated to specific data processing units, and the data stored therein create a xe2x80x9csnapshotxe2x80x9d that is characteristic of the status of the system at that time. Predetermined sub-areas of the memory can be allocated to specific status representations that are reached in chronological succession.
The validation of a system status given dynamic changes in accordance with the invention is based on the overlapping processing of data from at least parts of the test patterns, function scope or memory area employed, individually or in combination with one another. The overlapping processing includes a mutual transposition of the data supplied from a specific data processing unit and the data supplied by another specific data processing unit, and further includes implementing a redundant security function on the transposed data by the two data processing units. The results of the redundant data processing must be comparable for a system to be determined as tamper-free and error-free.
A security module for a data processing system, for example for a postage meter machine, performs the function of, for example, accounting for the postage fees, and/or cryptographic protection. The security module has a module processor and a hardware accounting unit. The security module is inventively characterized by its own indicator that, with direct drive by the module processor of the security module, allows identification of the current condition of the security module. The signaling of the module condition is activated only when the security module is supplied with system voltage, in order to preserve the battery. The processor also can monitor or check the operation of the hardware accounting unit. The availability of the system is not paramount but rather the dependable recognition of malfunctions or outages as well as a suitable reaction thereto, as is particularly for events which are security-sensitive but somewhat uncritical as to time.